Lecture04: Network Layer Security
Download
Report
Transcript Lecture04: Network Layer Security
Presentation Layer Security
Lecture 7
Supakorn Kungpisdan
[email protected]
NETE4630
1
Outline
Introduction to Presentation Layer
NetBIOS
CIFS or SMB
NetBIOS and Enumeration
Sniffing Encrypted Traffic
NETE4630
2
Introduction to Presentation Layer
Presentation layer deals primarily with data representation
If one host supports Extended Binary-coded Decimal
Interchange Code (EBCDIC) for character sets and
another supports ASCII, the presentation layer converts
data according to each hosts’ needs
Other functionalities include data compression, data
encryption, and manipulating XML objects
NETE4630
3
Common Internet File System (or SMB)
Common Internet File System (CIFS), aka Server Message Block
(SMB), is a network protocol for file sharing on a LAN, running at
app/presentation layer
A client-server protocol
Rely on other protocols for transport
Most commonly used is NetBIOS over TCP (NBT)
MS OSes use CIFS for remote file operations (mapping network
drives), browsing (via Network Neighborhood), authentication (NT,
Win2000, 2003), and remote printer services
Unix OSes also implement CIFS via the SAMBA program
NETE4630
4
NetBIOS and SMB VS OSI
NETE4630
5
CIFS History
In 1984, IBM wrote NetBIOS, an API allowing basic
network communications between hosts on a small subnet,
but it required a transport protocol
In 1985, IBM released a transport protocol for NetBIOS
Both of them are merged into NetBIOS Enhanced User
Interface (NetBEUI)
Later, NetBIOS was implemented using various transport
protocols e.g. DECnet, IPX/SPX, and TCP/IP
NETE4630
6
CIFS History (cont.)
Soon after, MS and Intel created the 1st rendition of the
SMB/CIFS file sharing protocol titled “Core Protocol”
MS and Intel chose NetBIOS to deliver the upper protocol
CIFS packets
CIFS using NetBIOS over TCP became standard network
file sharing mechanism for MS OSes
Several operations have been added to CIFS overtime:
File access
File and record locking
Safe file caching
File change notification
NETE4630
- Protocol negotiation
- Extended file attribute handling
- Batched requests
- Unicode support
7
Outline
Introduction to Presentation Layer
NetBIOS
CIFS or SMB
NetBIOS and Enumeration
Sniffing Encrypted Traffic
NETE4630
8
NetBIOS
NetBIOS runs over many transport protocols, but
recently TCP/IP is the most common transport
protocol used
Main NetBIOS services:
1. Name service
2. Session service
3. Datagram service
NETE4630
9
NetBIOS Name Service
NetBIOS names are human readable names assigned to
computers on a network
Commonly seen in Windows in Network Neighborhood
Serve the same purpose as the DNS system in TCP/IP,
but different in the method
Operate on UDP port 137
NETE4630
10
NetBIOS Name Services (cont.)
Broadcast and/or server based
Name registration and lookups can be accomplished by
broadcasting to the LAN and/or using a central
NetBIOS name server (NBNS or WINS)
Broadcast only (B-node)
NBNS only (P-node)
Broadcast first then NBNS (M-node)
NBNS first then broadcast (H-node)
Dynamic registration
With NetBIOS, when a computer boots, it registers its
name/IP combination dynamically
NETE4630
11
NetBIOS Name Services (cont.)
Two most common NetBIOS name service are name
registration and name query
Name registration associates a NetBIOS name with an IP
Try c:\nbtstat –a ip-address
Name query determines the IP address associated with
an given name
Try c:\nbtstat –a computer-name
NETE4630
12
Name Registration (B-node)
1
1
2
1
1. Broadcast name registration
2
packet containing name and IP
over UDP port 137 three times
(waiting 250 ms each)
2. If a host has already registered
the name, it sends back a
defense packet back
NETE4630
1
13
Name Registration (P-node)
1
2
1. Unicast name registration packet 2
over UDP port 137 directly to
NBNS three times (waiting 250
ms each)
2. If the name is already registered,
NBNS sends back a defense
packet back
NETE4630
1
WINS server
14
NetBIOS Session Service
From RFC1001, “A session is a reliable message
exchange, conducted between pair of NetBIOS
applications. Session is full-duplex, sequenced, and
reliable”
CIFS uses the session service to send and receive all
upper layer commands, including file and printer
operations
The first step in any CIFS communications is to establish a
NetBIOS session between client and server
NETE4630
15
Session Service Primitives
Primitives
Descriptions
Call
Initiate a NetBIOS session
Create TCP connection and send a NetBIOS call packet containing
the client’s NetBIOS name and the server’s NetBIOS name
Listen
Wait for a NetBIOS call command
Mapped a server waiting on TCP port 139
Hang Up
End a NetBIOS session
Mapped into TCP by initiating a TCP teardown sequence
Send
Send a message over a NetBIOS session
Send No ACK
Similar to Send, but no acknowledgment required
Receive
Receive a message from a NetBIOS session
Session Status
Obtain information about session
NETE4630 Advanced Network Security and Implementation
16
NetBIOS Datagram Service
From RFC1001, “The datagram service is unreliable, nonsequenced, connectionless service”
Used by NetBIOS application as a fast, broadcast-capable, lowoverhead method of transferring data
Implemented on UDP port 138
All NetBIOS datagram packets adds a header containing NetBIOS
name and whether or not the NetBIOS datagram was fragmented to
be sent via UDP
CIFS protocol standard does not implement NetBIOS datagram
server, but CIFS implementations typically use it for browsing
NETE4630
17
NetBIOS Datagram Service Primitives
Primitives
Send Datagram
Descriptions
Send Broadcast Datagram
send a datagram to all NetBIOS names
on the network
Receive Datagram
wait for a packet to arrive from a Send
Datagram operation
send a datagram to a remote NetBIOS
name
Receive Broadcast Datagram wait for a packet to arrive from a Send
Broadcast Datagram operation
NETE4630 Advanced Network Security and Implementation
18
Outline
Introduction to Presentation Layer
NetBIOS
CIFS or SMB
NetBIOS and Enumeration
Sniffing Encrypted Traffic
NETE4630
19
CIFS Properties
CIFS allows file sharing between network nodes
Client/server + request/response
Allow multiple simultaneous requests be assigning multiplex ID
(MID) to each request
The server replies with the same MID
Command based
Each packet contains a command field indicating the packet
purpose e.g. login, open a file, read from a file, or write to a file
CIFS packet contains a 1-byte command field allowing 100+
commands available
NETE4630
20
CIFS Properties (cont.)
Protocol dialects/negotiation
Allow different variants (dialects) of CIFS to communicate
When client wishes to access files on a remote server, client
sends a negotiate protocol packet containing a list of dialect
strings that it is capable of understanding.
The server sends back the response containing which dialect it
wishes to communicate
List of SMB variants
Chosen SMB variant
NETE4630
21
SMB Variants (Dialects)
Ref: http://samba.anu.edu.au/cifs/docs/what-is-smb.html
NETE4630
22
CIFS Properties (cont.)
User level security
A client wishing to access the share must provide a username
and a password
Used in windows 2000 onwards
Share level security
The share itself requires only a password, but no username is
required
Used in windows 95 and 98
NETE4630
23
CIFS Properties (cont.)
Encryption
Password entered is sent in an encrypted format to server
NTLM and LanMan
Opportunitistic locking (oplock)
When a CIFS packet specifies to open file, an oplock can be
requested
If granted by server, no other entities can access the file
NETE4630
24
CIFS Packet Header
NETE4630
25
CIFS Operations
Client initiates contact with a server
Client requires to open a file and read from it
NETE4630
26
Initial Contact, Login, and Tree Connect
Establish NetBIOS session
Client
Positive NetBIOS session acknowledgement
Server
Negotiate CIFS dialect
Choose CIFS dialect from request list
User login
Indicate User ID or returns error if bad password
Connect to particular resource
Indicate Tree ID or error if share name does not exist
NETE4630
27
File Open and Read
Client
Open a file
Server
Indicate File ID, or error code if problem
Read from a file
Return file data requested
NETE4630
28
SMB and SAMBA
SAMBA is a project established to provide free
implementations of the SMB protocol for various platforms.
The SAMBA project has had to "reverse engineer" the
protocols and continues to work in this manner in order to
keep the software free.
Despite having released a version of SMB to the X-Open
organization, Microsoft continues to develop the protocol
as a proprietary protocol and details of some of the more
recent versions have not been made freely available.
NETE4630
29
Null User Overview
At the core of the Windows authentication scheme lies the
'User' administrative unit.
When we create users, we assign them rights, privileges, and
policy restrictions to define what they can and can't do on our
networks.
But in addition to the standard User, Windows supports a
special type of user called the 'Null' user, which is basically a
pseudo-account that has no username or password, but is
allowed to access certain information on the network
Some MS OSes and services used to require that you utilize
the null user in order to operate properly
NETE4630
30
Null User Overview (cont.)
Null user can enumerate account names and shares on
domain controllers, member servers, and workstations
alike.
Therefore this null user, a user with no credentials, can be
used to glean a tremendous amount of information from
your network without raising any eyebrows
NETE4630
31
Null User Overview (cont.)
Microsoft's System Management Server uses the null user
to enumerate shares during discovery.
Even the mundane action of starting a NT workstation or
server creates an initial null user logon to one of your
domain controllers after its NetBIOS name is successfully
registered (before you get the Ctrl + Alt + Delete logon
prompt)
System account uses the null user to get to remote
resources
NETE4630
32
NetBIOS Enumeration
Null sessions allow users to communicate via NetBIOS in
order to query any server as the null user
If this occurs, user can enumerate shares, users, groups,
permissions, policies. They can probably brute force their
way into the network
Many tools can be used to enumerate different aspects of
a Windows server
NETE4630
33
enum
enum is a console-based Win32 information enumeration
utility.
Using null sessions, enum can retrieve userlists, machine
lists, sharelists, namelists, group and member lists,
password and LSA policy information.
enum is also capable of a rudimentary brute force
dictionary attack on individual accounts.
Ref: http://www.cotse.com/tools/netbios.htm
NETE4630
34
enum (cont.)
Get user list
Get password policy
No limit number of logon attempts
NETE4630
35
enum (cont.)
Dictionary attack
NETE4630
36
Exploiting the IPC$ Share
Windows have hidden administrative shares that have $ at the end
(e.g. C$, ADMIN$, IPC$). The system tells itself to omit this share
from any request for the enumeration of shares
InterProcess Communication (IPC$) share is necessary to make
systems work properly
IPC$ is used for data sharing between processes
In old versions of Windows (esp. NT), users can exploit the use of
IPC$ and other hidden shares through a null session
Once connected, the user may utilize the net view and net
use commands to browse and connect to the hidden shares on a
machine
NETE4630
37
Exploiting the IPC$ Share (cont.)
NETE4630
38
winfo
verbose
C:\winfo\winfo 192.168.1.1 –v -n
Establish a null
session before
dump data
NETE4630
39
Other NetBIOS Issues
An attacker can generate a fake packet to deny a host
joining the network
Many vulnerabilities have been fixed in new Windows
OSes, but several organizations still have legacy systems
Thus, these types of NetBIOS vulnerability still exist
NETE4630
40
Sniffing Encrypted Traffic
Obfuscation
Some utilize encryption and others use one-way
function
Make it difficult to intercept a transmission of a
message and retrieve it content
Base64 encoding
Not suitable for data protection (confidentiality)
No shared key between encode and decode functions
NETE4630
41
Sniffing Encrypted Traffic (cont.)
XOR encryption
Use shared key, provide more protection
NETE4630
42
Sniffing Encrypted Traffic (cont.)
Message Digest
MD5 and SHA-1
Not an encryption algorithm
The premise for using digests and hashes is to make it difficult
for a collision to occur, computationally infeasible to reproduce
identical digests/hashes from different input
Most commonly used to obfuscate passwords
Vulnerable to brute-force and rainbow table attacks
NETE4630
43
Kerberos
NETE4630
44
Attacking Kerberos
Communications between C and AS is derived from user’s password
Windows computes a one-way function (OWF) against the password
to generate the key
If the hash value is known, we can run a dictionary attack against
the key Known ciphertext attack
Security of Kerberos depends on how strong the password is
NETE4630
45
Attacking Kerberos (cont.)
Hashed password
NETE4630
46
Attacking Kerberos (cont.)
Run Kerbsniff, a command-line utility to capture ASREQ value to a text file
NETE4630
47
Attacking Kerberos (cont.)
Run Kerbcrack on the hashed password to recover the password
Input file Dictionary attack
NETE4630
48
Attacking Weak Protection Schemes
Many people said that data protection requires strong
cryptographic algorithms that can resist a dictionary or
brute-force attack
However, much of the problems lies in selecting weak
passwords
Weak protection scheme reduces the effort an attacker
must take once the hash value is known
NETE4630
49
John the Ripper
Downloaded at http://www.openwall.com/john/
NETE4630
50
Question?
Next week
Application Layer Security
NETE4630
51